September 27, 2009

Phones as a key to the cloud realm

While everyone is busy discussing the Tablet Wars, which will undoubtedly break out soon enough, I think we are approaching faster than ever to what everyone already know is the next step in computing.

It's not far from what Microsoft named "Three Screens and a Cloud": the central hub, the Cloud, is the place where the data actually is. The user is able to access the data using either a PC, a TV or a Phone, either at home, work or in the metro.

What the tablet wars (or the phone wars, for that matter) are trying to determine is "how" is the user going to access the data. The concept, however, is already being sold as something certain, regardless of Stallman's opinions.

If we take it for granted, then what are the phones - or the PCs, or the TVs - good for? If we start reasoning in term of anything as a service, it doesn't really matter if your phone or your pc has 1Gb or 512 Mbs or RAM, as long as it is able to stream you multimedia representations somebody computed somewhere. Try OnLive to get an exact idea of what I'm speaking about.

This said, it seems to me this OS-Hardware war should transform itself in a form-factor war, which is most likely going to end up with some degree of flexibility for the mobile end (someone will prefer smaller factors, like phone, while someone will still like the larger screens laptops can offer and so on), and pervasive docking stations everywhere. Once you plug your phone on the dock you get access to a larger screen and to all your data and software in the cloud. Maybe your local-office cloud, maybe your personal cloud or maybe even some sort of "service provided customized cloud", it doesn't really matter.

However, phones will still play a critical role as KEYS. If we want to think about secure cloud computing we have to think about pervasive, high security encryption. Phones and other devices, then, will just become our personal wallets, storing access data we can unlock with a password which in order will unlock all our cloud stored data. That is, until we start to actually use biometrics... but that's another post.

September 22, 2009

Virtual appliances forensics

In the last months I've been most busy exploring virtualization security issues,

Classy SMB Wireless hotspots

I recently got a request for an advice about building a wireless hotspot for a luxury cafeteria. The Pisano law in Italy enforces a set of rules on public shops providing free internet access, as customer identification (through ID) and access logging. Like it or not, this poses some challenges to the standard "Open WiFi" configuration you usually see around the world in such places.

In an enterprise environment, the solution would be to implement a proper Wi-Fi access infrastructure with a partial self-service procedure to enroll, get the certificate and thus create usernames and access logging. However, such a procedure is not really viable in a single shop. A luxury place, however, requires any solution to be easy to use for the customers and somehow classy: no on-demand generation of keys, no ugly panels and so on.

I googled around, and found some commercial solutions to the issue, each one proposing some sort of Captive Portal and monitoring solution. While I've not performed any comparative analysis of the commercial solutions, there was really nothing which make me "go wow", or that is really missing from the opensource solutions I will describe in a moment.

Why OS solutions for any high-level environment, you might ask. For once, customization.
There's only so much you can do with closed-source, commercial software, without great economical efforts. However, since we are sensible administrators and managers, we want something we don't have to tweak, something which "just works". And it seems there are a lot of free, working alternatives in the market.


ZeroShell is the first to come to mind, perfectly capable of doing everything we need. My friend Luca Carettoni performed some auditing on the platform some time ago, discovering some bugs which were promptly patched: this is not a life insurance, but it means that the level of security is at least able to pass a "free audit", which is more than most commercial solutions can guarantee.
Chillispot is another well known player of this market sector: it is able to run on any standard server, providing integration with a RADIUS server - however, the project is now dead and its most likely successor is Coova. Coova's aim is to create a firmware (based on OpenWRT) for a number of devices, which includes a web based panel and a powerful captive portal. Documentation is not as complete as it could be, but the project has an active community and can be tested in few minutes.

In the end, my pick was: start from either ZeroShell or Coova, and customize the captive portal interface and user management panel. Enrollment is "manual", since customers have to present their ID. Once their used has been created, it can be reactivated logging in the captive portal on future dates. In the end, the entire project would cost less than 200 EUR in hardware and a couple of days to configure and setup.
The results? A stable, completely custom - and most likely secure - hotspot.


Update: I've just come across Sputnik and the project seems to be vastly superior compared to the competitors!